The Carbanak cybercrime gang, best known for allegedly stealing $1 billion from financial institutions worldwide, have shifted strategy and are targeting the hospitality and restaurant industries with new techniques and malware.

According to security researchers at Trustwave, over the last several weeks Carbanak has been targeting hospitality call centers with elaborate ploys to get customer service representatives to accept and download emails with malicious macro-laced documents. The target is credit card data scraped from the memory of point-of-sale systems.

“Carbanak used to be known for its billion-dollar bank heists. We have seen a dramatic shift in Carbanak and who it targets and how,” said Brian Hussey, director of global incident readiness and response at Trustwave.

Hussey said that Carbanak (also known as Anunak) is now going after point-of-sale systems with recompiled Carbanak malware that is difficult to detect. He said that hackers are also going to great lengths to target U.S.-based victims. “The social engineering is highly targeted, conducted via direct phone calls by threat actors with excellent English skills,” he said. Hackers are going so far as to create websites of bogus companies they pretend to represent, stringing targets along with multiple phone calls and developing personable relationships.

“An attacker called the customer contact line saying that they were unable to use the online reservation system and requested to send their information to the agent via email. The attacker stayed on the line until the agent opened the attachment contained in the email and hung up when his attack was confirmed successful,” according to a Trustwave technical description of the attack.

Hussey called “the persistence, professionalism and pervasiveness of this campaign” is at a level rarely seen. First discovered by Kaspersky Lab, Carbanak is best known for its 2014 crime spree when it stole as much as $1 billion from more than 100 financial institutions in a string of attacks against banks in the United States, Germany and China. But, Hussey said, since its heyday a weakened Carbanak has been forced to develop new targets and revamp its malware to avoid detection.